Epsilon Data Breach to Cost Billions in Worst-Case Scenario

The ultimate price tag of the data breach at email marketing company Epsilon could be as high as $4 billion, depending on what happens to the stolen data and customer churn, a cyber-risk analytics firm said.

Email marketing services company Epsilon's recent data
breach could cost the company as much as $4 billion, according to a worst-case
scenario outlined in a recent report.
Epsilon will face years of repercussions, up to $225 million
in liabilities and $45 million in lost business, cyber-risk analytics and
intelligence firm CyberFactors said in a report released April 29. The report
broke down costs for forensics audits and monitoring, fines, litigation and
lost business for Epsilon and its affected customers in a three-year outlook.

The total cost of the Epsilon breach could eventually run as
high as $3 billion to $4 billion, given that compromised email addresses could
be used by hackers and phishers to gain access to sites that contain consumers'
personal information, according to CyberFactors. This figure includes costs to
Epsilon, its customers and the individuals whose email addresses were stolen.
Until a spear phishing campaign that can be directly linked to the breach
occurs, the estimate remains "theoretical," according to the report.

"Cloud companies would be wise to think more like banks,
insurance companies and hedge funds, and not just aggregators of the world's
precious data and technology dependencies," said Regina Clark, research and
analytics director for CyberFactors.
The company disclosed March 30 that attackers had breached
its databases and stolen email addresses for two percent of its customers,
which included major names such as Best Buy, Citibank and the Walt Disney
Company. Epsilon has not revealed the number of affected consumers or the
number of email addresses stolen.
Despite Epsilon's claim of two percent affected customers on
an April conference call with analysts, it was more likely that the breach
involved 75 companies, or three percent, of the company's client roster,
according to the CyberFactors report. The repercussions, which include
notifying customers and changing marketing strategies, would wind up costing
$412 million. Combine that with liabilities, and Epsilon is looking at an
aggregate cost of $637 million, or more than half a billion dollars, for an
email database.
Ed Heffernan, CEO of Alliance Data had projected no
"meaningful" costs or liability related to the incident.
Each customer will likely face $5.5 million in costs, which
would include notifying consumers, settlements and legal fees, compliance costs
and loss of business.
CyberFactors "conservatively estimated" the number of
compromised email addresses at 60 million. The analysis assumed that the
affected Epsilon customers had roughly equal numbers of emails compromised.
Epsilon will likely be paying for the breach for years, as
51 percent of the costs will be incurred in year one, 42 percent in year two,
or 2012, and seven percent in year three and thereafter.
"The Epsilon event suggests a much more profound financial
risk environment is now upon us," Clark said.
Epsilon, and its parent company, Alliance Data Systems, are
understandably concerned about losing customers as a result of the breach. The
"vast, vast majority, if not all" of the clients would stick around, Heffernan had
predicted after the breach. CyberFactors said it was more likely that Epsilon
will lose both current and potential customers scared away by the news.
Loss of revenue related to customer churn could range
from$6.1 million, if only one percent of customers moved their business
elsewhere, to more than $30 million if five percent of the customers left, according
to the report.
The economics of business risk for cloud providers and their
customers can no longer be ignored and cloud vendors need to innovate.
"Everyday people are at risk and starting to get breach fatigue and quite frankly,
severely irritated," the report authors wrote.